A vulnerability in Cisco access lists allows some packets to be erroneously routed which one would expect to be filtered by the access list and vice-versa. This vulnerability can allow unauthorized traffic to pass through the gateway and can block authorized traffic.

If a Cisco router is configured to use extended IP access lists for traffic filtering on an MCI, SCI, cBus or cBusII interface, and the IP route cache is enabled, and the "established" keyword is used in the access list, then the access list can be improperly evaluated. This can permit packets which should be filtered and filter packets which should be permitted.